Earlier today, Google researchers Bodo Möller, Thai Duong, and Krzysztof Kotowicz released a paper discussing a serious bug in SSL 3.0 that allows attackers to conduct man-in-the-middle attacks and decrypt the traffic between Web servers and end users.
For example, if you’re shopping online with your credit card, you may think that your information is secure but thanks to this bug (known as POODLE) it may actually be at risk. An attacker can hijack your transaction, retrieve your credit card information, or even change your order.
The bullet points below summarize some key points of this vulnerability:
- CVE ID: CVE-2014-3566
- Popular name: POODLE (Padding Oracle On Downgraded Legacy Encryption)
- Vulnerabilty: SSL 3.0 fallback bug
- Attack vector: Man-in-the-middle
How does the POODLE attack work?
According the paper, the key issue is the integrity of the padding on SSL 3.0 block ciphers. This padding is not verified by the protocol. This will allow an attacker to alter the final block of the SSL cipher if the hacker can successfully hijack the connection from an end user to the Web server. This can lead to the attacker being able to successfully decrypt any encrypted traffic that they are able to capture.
SSL 3.0 is an older encryption protocol that has been around for 15 years. It has been succeeded by TLS (which is now at version 1.2). However, TLS clients and servers will downgrade to earlier versions of the protocol if one side of the transaction does not support the latest version.
Consider the example below. The browser supports version of TLS up to 1.2. In the first handshake, the browser uses the highest protocol version (TLS 1.2) that it supports. If that handshake fails, the browser will retry with earlier versions (TLS 1.1, then TLS 1.0). The attacker then will make it so the browser will downgrade versions up to SSL 3.0, at which point the POODLE vulnerability can then be exploited to decrypt any communications between the two parties.
Figure 1: Attackers may force the communication between a client and server to downgrade from TLS to SSL 3.0 to be able to decrypt the network communication
This vulnerability can be avoided if the SSL 3.0 protocol is disabled. Site administrators can disable support for this on their side; for example these instructions show how to do this in Apache.
End users can disable SSL 3.0 support on their end as well, through the following steps:
- For Chrome users, running Chrome with the command Chrome.exe –ssl-version-min=tls1 will specify that the minimum version of SSL that will be used is TLS 1.0.
- In Firefox, type about:config in the search bar to change settings. Search for the keyword security.tls.version.min and set the value to 1 to disable SSL 3.0 support.
- Internet Explorer users can follow the steps in Security Advisory 3009008 to disable SSL 3.0
For enterprises they can do server patch via the following steps:
- Disable SSL 2.0 and SSL 3.0 in IIS 7 via using this to protect the server.
- Protect Apache httpd + mod_ssl using the command: SSLProtocol All -SSLv2 –SSLv3
- Protect nginx using command: ssl_protocols TLSv1 TLSv1.1 TLSv1.2
Note, however, that disabling SSL3.0 is not a practical step for all users, especially since it can still be needed to work with legacy systems. The security advisory from OpenSSL.org recommended the usage of TLS_FALLBACK_SCSV mechanism to web servers, to ensure that SSL 3.0 is used only when necessary (when a legacy implementation is involved). This way, attackers can no longer force a protocol downgrade.
We will continue to proactively monitor for threats that use this vulnerability and provide updates and solutions as necessary.
Update as of 1:48 PM, October 15, 2014
Trend Micro Deep Security customers are protected from attacks that may leverage POODLE vulnerability via the following DPI rules:
- 1006293 – Detected SSLv3 Request
- 1006296 – Detected SSLv3 Response